From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 678 invoked by alias); 6 Dec 2014 04:28:08 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 33881 Received: (qmail 2612 invoked from network); 6 Dec 2014 04:28:02 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 Date: Sat, 6 Dec 2014 05:27:32 +0100 From: Dennis Felsing To: zsh-workers@zsh.org Subject: free() error on simple input scripts Message-ID: <20141206042732.GA28745@ti.fritz.box> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="ReaqsoxgOBHFXBhH" Content-Disposition: inline User-Agent: Mutt/1.5.22 (2013-10-16) X-Provags-ID: V03:K0:aQ3rfTXb5kxZy1n6x2O3kG0Y4RTE9dNck+v4M3IK3w9eLoTnukZ 6HeVjzUhGCKky9KMv7ez7f+4d6B6sggR7wuoeK9noYO16UZIVaPdLZcrP1At9TL4cMfV9oi H5Vvwzj4D2avwXoXoNJdmVTTkuOjFQQ3krjmZh77Qh/titrUneooZiMgqD59Utj2OQDMVZb p7ZipBRi4nshPyPylwu7Q== X-UI-Out-Filterresults: notjunk:1; --ReaqsoxgOBHFXBhH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello, Simply running zsh (from git) on each of the two attached files causes a free() error for me: *** Error in `/usr/local/bin/zsh': free(): invalid next size (fast): 0x00000000009708c0 *** This has been found fuzzing using AFL: http://lcamtuf.coredump.cx/afl/ Dennis gdb output: Program received signal SIGABRT, Aborted. 0x00007ffff6eeb5e7 in raise () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff6eeb5e7 in raise () from /lib64/libc.so.6 #1 0x00007ffff6eec9c8 in abort () from /lib64/libc.so.6 #2 0x00007ffff6f2a0d4 in __libc_message () from /lib64/libc.so.6 #3 0x00007ffff6f2f9fe in malloc_printerr () from /lib64/libc.so.6 #4 0x00007ffff6f30716 in _int_free () from /lib64/libc.so.6 #5 0x00000000006fccfd in unmeta (file_name=0x7fffffffc1d0 "/media/intel/vtune_amplifier_xe_2011/bin64/d\203") at utils.c:4238 #6 0x0000000000473137 in iscom (s=0x7fffffffc1d0 "/media/intel/vtune_amplifier_xe_2011/bin64/d\203") at exec.c:824 #7 hashcmd (arg0=0x7ffff7ff3560 "d\203", pp=0x969168, pp@entry=0x969160) at exec.c:878 #8 0x0000000000489575 in execcmd (state=0x7fffffffd820, input=0, output=0, how=, last1=2) at exec.c:2886 #9 0x000000000049059e in execpline2 (state=0x7fffffffd820, pcode=16729, pcode@entry=131, how=18, input=0, output=0, last1=5798544, last1@entry=0) at exec.c:1698 #10 0x0000000000491294 in execpline (state=state@entry=0x7fffffffd820, slcode=, how=how@entry=18, last1=) at exec.c:1485 #11 0x00000000004952ab in execlist (state=state@entry=0x7fffffffd820, dont_change_job=dont_change_job@entry=0, exiting=exiting@entry=0) at exec.c:1268 #12 0x0000000000495ce7 in execode (p=0x7ffff7ff33f0, dont_change_job=0, exiting=0, context=0x72a141 "toplevel") at exec.c:1074 #13 0x0000000000515861 in loop (toplevel=1, justonce=0) at init.c:185 #14 zsh_main (argc=, argv=) at init.c:1649 #15 0x00007ffff6ed7dc5 in __libc_start_main () from /lib64/libc.so.6 #16 0x0000000000413829 in _start () --ReaqsoxgOBHFXBhH Content-Type: application/octet-stream Content-Disposition: attachment; filename="id:000000,sig:06,src:000000,op:havoc,rep:16" Content-Transfer-Encoding: base64 Zjggev+hKAX//wU7IGRcAGVjaCBkb25lZQo= --ReaqsoxgOBHFXBhH Content-Type: application/octet-stream Content-Disposition: attachment; filename="id:000001,sig:06,src:000002,op:havoc,rep:8" Content-Transfer-Encoding: base64 rq6uJlwACg== --ReaqsoxgOBHFXBhH--